CrowdSec Agent
Local detection, global remediation
Real-time detection of suspicious traffic & behavior
CrowdSec Agent, an intrusion prevention system, protects against attacks on any server by parsing real-time service logs (servers, SSH, Wordpress etc. logs). The agent detects behaviors that indicates intrusion or unauthorized action.
- A variety of scenarios to detect attacks: bruteforce, HTTP attacks, scans, L7 DDOS, website scalping/scrapping etc.
- Compatible with most OS (Linux/BSD/Windows) and all popular servers (Nginx, Apache, Traefik, Caddy etc.). Works in a container-type of setup and can be used at the application level with WordPress, Magento, or any PHP or Python-based website.
- Written in Go to ensure fast execution and low memory footprint. It comes with an easy-to-install setup wizard and integrates seamlessly with any CI/CD or cybersecurity process.
Our bouncer blocks cyberattacks
CrowdSec Agent comes with a remediation component, called "bouncer", to act on identified threats. Bouncer interfaces with existing software such as firewalls to ban or block nefarious IPs. It will also consume the community blocklist to preventively block IPs that have been shared by CrowdSec users.
- Compatible with most firewalls, whether they come with Linux (Iptables, Nftables) or dedicated OS such as OPNSense. The bouncer also supports web application firewalls such as Cloudflare or AWS WAF.
- Decoupled from the detection mechanism for flexible setups where detection is done on one machine, while remediation is achieved on other machines.
- Customizable. While bouncers are usually used to ban/block IPs or insert Captcha challenges, custom bouncers can be created to execute any script.
Community-fueled blocklist
CrowdSec uses the power of the crowd to maintain and distribute IP blocklists to preventively block intrusions. Based on the gathered behavior patterns, the service evaluates the reputation of an IP address in real time.
- Our curation mechanism ensures the reliability of the blocklists sent back to users. Combining a trust rank mechanism, behavior, our own honeypot network and a whitelist, the consensus engine ensures blocklists contain only "shoot-on-sight" IP addresses.
- IP threat level is evaluated in stream processing, based on sightings from the CrowdSec network. This highly dynamic system ensures that blocklists contain no false positives or poisoning attempts, allowing your IPS to focus on really dangerous IPs.
Open source since day 1
CrowdSec was created by developers with strong background in FOSS. For us, open-sourcing CrowdSec Agent is critical to guarantee full transparency, quality and reliability to our users, while offering the community the opportunity to contribute at the code base.
- Open-sourced under the MIT license, the most permissive in the world.
- We welcome contributions from the community whether it is to enhance the code base of Agent or to create new attack detection scenarios, bouncers or ports on new platforms.
- The CrowdSec Hub centralizes all detection scenarios, bouncers or collections developed by the CrowdSec team and the community. Check it out for the latest updates!
.jpg)
How the CrowdSec Agent works
Why use our Agent
Reduce intrusions by 90%
By using CrowdSec Agent, users noticed a 90% drop in intrusion attempts on their online services, due to the community blocklist containing a curated list of aggressive IPs.
Eliminate alert fatigue with 0 false positive
By preventively blocking aggressive IPs, and Internet background noise, SOC teams and security analysts can focus on alerts that matter.
Seamless setup
CrowdSec Agent was developed to fit the needs of modern IT setups. Working with all popular server OS, containers, servers and applications, Agent is easy to set up and integrates effortlessly with your CI/CD process.
CrowdSec Agent in few figures
3M
Rogue IPs in the CTI database
30K
"Shoot-in-sight" IPs in the blocklist
1.5M
Signals/day received from the community
+50K
Machines contributing to the CTI
Why use our Agent
Reduce intrusions by 90%
By using CrowdSec Agent, users noticed a 90% drop in intrusion attempts on their online services, due to the community blocklist containing a curated list of aggressive IPs.
Eliminate alert fatigue with 0 false positive
By preventively blocking aggressive IPs, and Internet background noise, SOC teams and security analysts can focus on alerts that matter.
Seamless setup
CrowdSec Agent was developed to fit the needs of modern IT setups. Working with all popular server OS, containers, servers and applications, Agent is easy to set up and integrates effortlessly with your CI/CD process.
Run the Agent effectively on multiple platforms
OS
Services
Data sources
Platforms